






























































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A technical reference architecture for cloud security, coauthored by Cybersecurity and Infrastructure Security Agency, United States Digital Service, and Federal Risk and Authorization Management Program. It covers topics such as cloud service models, FedRAMP, cloud migration, DevSecOps, and cloud security posture management. regularly updated to reflect modern security practices and technologies.
Typology: Study notes
1 / 70
This page cannot be seen from the preview
Don't miss anything!































































Coauthored by:
June 2022
Version 2.
i
The version number will be updated as the document is modified. This document will be updated as needed to reflect modern security practices and technologies.
Table 1: Revision History
Version Date Revision Description Sections/Pages Affected
1.0 August 2021 Initial Release All
2.0 June 2022 Response to RFC Feedback All
iii
Cybersecurity and Infrastructure Security Agency CISA is the operational lead for federal civilian cybersecurity and executes the broader mission to understand and reduce cybersecurity risk ot the nation. In this role, CISA seeks to provide enhanced support for agencies adopting cloud services to improve situational awareness and incident response in cloud environments. CISA is responsible for aiding federal agencies, critical infrastructure, and industry partners as they defend against, respond to, and recover from major cyber attacks.
United States Digital Service The United States Digital Service (USDS) is a senior team of technologists and engineers that support the mission of departments and agencies through technology and design. USDS’s multi-disciplinary teams bring best practices and new approaches to support government modernization efforts. USDS is situated under OMB.
OMB produces the president's budget and examines agency programs, policies, and procedures to assess with the president's policies and coordinates inter-agency policy initiatives. OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities. OMB also ensures that agency reports, rules, testimony, and proposed legislation are consistent with the president's budget and administration policies. OMB also oversees and coordinates the administration's procurement, financial management, information, and regulatory policies. In each of these areas, OMB's role is to help improve administrative management, develop better performance measures and coordinating mechanisms, and reduce unnecessary burdens on the public.
Federal Risk and Authorization Management Program Established in 2011, FedRAMP provides a cost-effective, risk-based approach for the adoption and use of cloud services by the Federal Government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.
FedRAMP is a program under the General Services Administration (GSA), which manages and supports the basic acquisition and procurement functions of federal agencies. GSA supplies products and communications for U.S. government offices, provides transportation and office space to federal employees, and develops government-wide cost-minimizing policies and other management tasks.
Table of Tables
Executive Order 14028, “Improving the Nation’s Cybersecurity” (May 12, 2021) 1 marks a renewed commitment and prioritization of federal cybersecurity modernization and strategy. Among other policy mandates, Executive Order 14028 embraces zero trust as the desired model for security and tasks the Cybersecurity and Infrastructure Security Agency (CISA) with modernizing its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments. While Executive Order 14028 marks a shift in federal policy, many efforts undertaken in recent years support the key tenets of this Executive Order. For example:
These preexisting efforts should continue; however, new leadership, evolving threats, and changing requirements and technologies present an opportunity to enhance existing strategies and architectural approaches. In addition, recent cyber breaches affecting cloud computing environments have had wide- ranging implications and demand a national response. These compromises demonstrate that “business as usual” approaches are no longer acceptable for defending the nation from cyber threats. Furthermore, cloud migration requires cultural changes, priorities, and design approaches that must be embraced, driven, and supported by the entire organization in order to succeed.
This Cloud Security Technical Reference Architecture builds on the initiatives above and supports the continued evolution of federal agencies within a rapidly evolving environment and technology landscape
(^1) Office of Management and Budget, “Executive Order on Improving the Nation’s Cybersecurity,” (2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the- nations-cybersecurity/. (^2) Office of Management and Budget, “Executive Order – Improving Critical Infrastructure Cybersecurity,” (2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical- infrastructure-cybersecurity. (^3) Office of Management and Budget, “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” (2017), https://trumpwhitehouse.archives.gov/presidential- actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/. (^4) Office of Management and Budget, “Executive Order on Securing the Information and Communications Technology and Services Supply Chain,” (2019), https://trumpwhitehouse.archives.gov/presidential- actions/executive-order-securing-information-communications-technology-services-supply-chain/.
through a focus on cloud modernization efforts, namely: shared services, designing software in the cloud, and cloud security posture management.
The purpose of the Cloud Security Technical Reference Architecture is to guide agencies in a coordinated and deliberate way as they continue to adopt cloud technology. This approach will allow the Federal Government to identify, detect, protect, respond, and recover from cyber incidents, while improving cybersecurity across the .gov enterprise. As outlined in Executive Order 14028, this document seeks to inform agencies of the advantages and inherent risks of adopting cloud-based services as they begin to implement zero trust architectures 5. The Cloud Security Technical Reference Architecture also illustrates recommended approaches to cloud migration and data protection for agency data collection and reporting.
This technical reference architecture is intended to provide guidance to agencies adopting cloud services in the following ways:
This technical reference architecture is divided into three major sections:
While each major section covers unique aspects of cloud security, they share common synergies that support the overall goal of modernizing cloud security. Understanding the features of shared services and the delineation of responsibilities for managing and securing such services is critical to agencies’ cloud migration and security posture management. Migrating to the cloud can help agencies keep pace with the evolving technology landscape by improving both their operations and their security. Lastly, CSPM capabilities will allow agencies to dynamically protect their cloud resources both at scale and across their infrastructure.
Figure 1 details the composition and commonalities.
(^5) National Institute of Standards and Technology, “NIST Special Publication 800-207: Zero Trust Architecture,” (2020), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf. (^6) Office of Management and Budget, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” (2022), https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf.
emphasis with security; for example, the emphasis on building expertise in the federal IT workforce should include prioritizing skill sets and training in cloud computing security architectures.
This section introduces shared services and the security implications for agencies and vendors. The section provides an overview on cloud service models and explains how agencies can leverage FedRAMP services to support their cloud migration. It is important to note that the features of the cloud services models described in this section rely on contractual terms set during procurement; cloud acquisition is outside of the scope of this technical reference architecture.
This section will:
There are many options when moving infrastructure, applications, or services into the cloud. Typically, these options are referred to as “aaS” where the “” can be a letter or a series of letters that describes the type of cloud-based offering. NIST has defined three basic cloud service models: SaaS, or Software-as-a- Service; PaaS, or Platform-as-a-Service; and IaaS, or Infrastructure-as-a-Service. 10
As cloud has evolved over the years, there is an ever-growing list of other _aaS acronyms for various offerings including Desktop-as-a-Service (DaaS), Security-as-a-Service (SECaaS), Artificial Intelligence- as-a-Service (AIaaS), Container-as-a-Service (CaaS), Disaster Recovery-as-a-Service (DRaaS), Internet of Things-as-a-Service (IOTaaS), Location-a-a-Service (LaaS), Monitoring-as-a-Service (MaaS), Unified
(^10) National Institute of Standards and Technology, “NIST Special Publication 800-145: The NIST Definition of Cloud Computing,” (2011), https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf. (^11) National Institute of Standards and Technology, “NIST Special Publication 800-145: The NIST Definition of Cloud Computing,” (2011), https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.
Communications-as-a-Service (UCaaS), and Workspace-as-a-Service (WaaS), among others. These additional offerings overlap with the three basic service models and are blurring the delineation between SaaS, PaaS, and IaaS, further complicating responsibilities around maintenance and security.
However, SaaS, PaaS, and IaaS are the most prevalent cloud service models, and each has differences in how they are consumed and protected. This is commonly represented via the shared security model, illustrated in Figure 2. Such models outline which party has responsibility for technology, security, data, etc.
Figure 2: Responsibilities for Different Service Models
The shared security model (Figure 2) shows that the responsibility for securing a SaaS offering relies heavily upon the service provider. However, this also means that the agency consuming the service is placing more trust in the service provider. This contrasts with IaaS, where much responsibility falls on the agency, some responsibility resides with the cloud service provider (CSP), and other responsibilities are shared. CSPs may define this shared security relationship differently from one vendor to the next. Agencies must clearly identify and understand the delineation of responsibilities between themselves and their CSP. Agencies should carefully set up service level agreements (SLA) to define expectations and responsibilities with each of their CSPs. Agencies may find that they need to change their security posture to stay current with their CSP(s) as they update service offerings. Agencies should ensure that they properly understand the security posture of their elected CSP(s) both initially and continuously over time.
Agencies may also use services provided by other agencies, such as a sub-agency using services offered by a parent agency. These services can range from SaaS applications like email to an IaaS environment that the sub-agency is granted access to by the parent agency. In these cases, coordination of roles and responsibilities must be understood between the parent and sub-agency including, but not limited to,
Community: The cloud infrastructure is provisioned to a specific community of consumers that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more organizations, an authorized third party, or some combination of these entities. The infrastructure may exist on or off premises.
Public: The cloud infrastructure is provisioned for use by the general public. It may be owned, managed, and operated by one or more organizations, an authorized third party, or some combination of these entities. The infrastructure exists off-premises.
Hybrid: The cloud infrastructure is a composition of two or more of the above deployment models (i.e., Private, Community, or Public). In this instance, multiple deployment models are connected through a standardized or proprietary technology offered by the provider to maintain compatibility of data and applications. 12
Regarding community cloud, many consider government cloud offerings to be a type of community cloud model. While government cloud deployments may offer some protections beyond public cloud offerings, such as US citizens working at the CSP data center, there may be some disadvantages, too. Typically, CSPs offer new security features and tools first to the public model. It may take weeks, months, or years for these same security features and tools to be offered to government cloud deployments. Also, some features within the tools offered by CSPs in a Public cloud deployment may never be implemented in the associated government deployment. Additionally, government cloud deployments are limited to U.S. regions. Some agencies may require a global reach that is best accomplished through a public cloud deployment.
Agencies are likely to operate in a multi-cloud environment. Agencies operating in a multi-cloud environment need to optimize their environments while maintaining situational awareness and proper security practices in each CSP they operate within. Agencies can choose to protect each of these services as an entity on its own or they may decide to maintain a holistic view of their security posture for all the services they consume. Agencies are encouraged to use tools that provide a holistic view of their application and infrastructure across all CSPs to manage security policy in a centralized way. Agencies also have the choice to use tools that are offered by CSPs and by third-party vendors for security analysis across multiple CSPs. Agencies will want to determine which of these tools best improve their security posture based on their specific needs. Agencies should evaluate the benefits and shortcomings of security tools offered by CSPs and independent tools designed for multi-cloud environments. Where possible, agencies should use security tools that can work across multiple CSPs.
Agencies should evaluate how to best monitor each cloud service they use and maintain situational awareness and proper security practices. It is important to find parity in the security information between the different cloud offerings an agency uses. Data normalization of logs by type will help achieve parity as each of the service offerings will have variations in field names and the number of fields in the logs, they make available. Agencies should determine if they will consolidate logs to a central location for analysis and, if so, which logs and how the logs will be backhauled. Some logs will have a consolidated
(^12) National Institute of Standards and Technology, “NIST Special Publication 800-145: The NIST Definition of Cloud Computing,” (2011), https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.
location such as authentication logs if using an integrated identity access provider across multiple CSPs. Agencies must be aware of and follow OMB Memorandum (M)-21-31 for log management.^13
When planning to adopt cloud services agencies must determine how they will implement authentication and access management for each service. They must consider the implications associated with where their identity provider will reside (e.g., on-premises, in a CSP—if they have more than one, which CSP will host the identify provider). Agencies should implement the strongest security features wherever possible such as implementing phishing-resistant multi-factor authentication (MFA)^14 ,^15 , and they should consider when to use convenience features like single sign-on.
When operating in a multi-cloud environment, agencies should be cognizant of the potential for vendor lock-in. Vendor lock-in occurs when a tenant has dependencies on services and resources within a CSP. In some cases, choosing to architect solutions that introduce vendor lock-in can provide many advantages. While in other situations, agencies might need to architect solutions with minimal vendor lock-in so that solutions can easily be deployed across different services with minimal changes to configurations and deployment settings.
FedRAMP was established in 2011 by the OMB Memorandum, “Security Authorization of Information Systems in Cloud Computing Environments,” known as the FedRAMP Memo 16. FedRAMP provides a cost-effective, risk-based approach for the adoption and use of cloud services by the Federal Government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessments for cloud technologies and federal agencies. As described in the FedRAMP Memo, FedRAMP is applicable to:
The FedRAMP Memo further requires each Executive department or agency to:
(^13) “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents,” Office of Management and Budget, (2021), https://www.whitehouse.gov/wp- content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation- Capabilities-Related-to-Cybersecurity-Incidents.pdf. (^14) Office of Management and Budget, “OMB M-22-09. Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” (2022), https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf. (^15) In this document, as in OMB M-22-09, “phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate System. (^16) Office of Management and Budget, “Security Authorization of Information Systems in Cloud Computing Environments,” (2011), https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf.
Four stakeholder groups serve roles in FedRAMP—CSPs, 3PAOs, federal agencies, and the JAB.
Cloud Service Providers The Federal Government is one of the largest buyers of cloud technology, and CSPs offer agencies innovative products that help them save time and resources while meeting their critical mission needs. CSPs who have a Cloud Service Offering (CSO) that is being used by the Federal Government should obtain a FedRAMP Authorization and be committed to understanding FedRAMP, leveraging FedRAMP templates to maintain alignment to and compliance with the shared responsibility requirements established by FedRAMP. FedRAMP provides a standardized security framework for all cloud products and services that is recognized by all Federal Civilian Executive Branch (FCEB) agencies. CSPs only need to go through the FedRAMP Authorization process once for each CSO and perform continuous monitoring of each authorized service. All agencies review the same continuous monitoring deliverables to create efficiency across the government. The FedRAMP PMO provides training, guidance, and advisory support to CSPs, helping them navigate the FedRAMP process and understand the requirements. CSPs providing CSOs for federal consumption should be committed to understanding FedRAMP and leverage FedRAMP templates to maintain alignment to and compliance with the shared responsibility requirements established by FedRAMP.
Third Party Assessment Organizations Third Party Assessment Organizations (3PAOs) play a critical role in the authorization process by assessing the security of a CSO. As independent third parties, they perform initial and periodic assessments of cloud systems based on federal security requirements. The Federal Government uses 3PAO assessments as the basis for making informed, risk-based authorization decisions for the use of cloud products and services. During FedRAMP assessments, 3PAOs produce a Readiness Assessment Report (RAR), which is required for the JAB Authorization process. While an RAR is optional for agency authorizations, it is highly recommended. For both JAB and agency authorizations, 3PAOs produce a Security Assessment Plan (SAP) and Security Assessment Report (SAR). The SAP and SAR must be submitted to a government Authorizing Official (AO) for authorization.
Federal Agencies FedRAMP helps federal agencies use cloud services to securely modernize their technology and support their mission. To do this, agencies use FedRAMP’s standardized baselines to evaluate the security of cloud services. Agencies work with CSPs to review the security posture and authorize the CSO for any cloud services that they wish to use. To establish a consistent approach to federal cloud adoption, agencies and CSOs are encouraged to receive FedRAMP training and to develop system-level security artifacts using FedRAMP templates. Agencies can review and reuse CSO security packages once they are designated as “Authorized” within the FedRAMP Marketplace by issuing their own authorization to use
the product. FedRAMP’s “do once, use many” principle enables agencies to expand the marketplace of secure cloud services available to the Federal Government.
Joint Authorization Board The JAB is the primary governance and decision-making body for FedRAMP. The JAB consists of the Chief Information Officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA). The JAB is responsible for:
The JAB Charter provides additional details on the objectives and responsibilities of the board.^19
FedRAMP’s role is to provide a standardized approach to security and risk assessment for cloud technologies and federal agencies. Even after authorization, CSPs and agencies should be aware of ongoing security requirements and considerations.
It is inevitable that the security posture of an agency’s system will change after receiving authorization. This may be due to changes in the hardware or software on the cloud service offering or the discovery of new exploits. Ongoing assessment and authorization provide federal agencies using cloud services a method of detecting changes to the security posture of a system for the purpose of making risk-based decisions. Agencies using cloud environments remain responsible for monitoring portions of the environment that CSPs do not monitor, which is generally covered under separate authorizations (See Section 3.1 for how the layers of the cloud service models work with various roles and responsibilities).
The FedRAMP Continuous Monitoring Strategy Guide describes the FedRAMP strategy for a CSP to use once it has received a FedRAMP Authorization (via agency authorization or JAB provisional authorization). 20 The CSP must continuously monitor the cloud service offering to detect changes in the security posture of the system to enable well-informed risk-based decision making. The guide instructs the CSP on the FedRAMP strategy to continuously monitor their systems. FedRAMP provides additional continuous monitoring guidance documents, such as the FedRAMP Guide for Multi-Agency Continuous Monitoring 21. FedRAMP strongly encourages agencies to leverage this guide in order to share the
(^19) The Federal Risk and Authorization Management Program, “Joint Authorization Board Charter,” (2018), https://www.fedramp.gov/assets/resources/documents/FedRAMP_Joint_Authorization_Board_Charter.pdf. (^20) The Federal Risk and Authorization Management Program, “FedRAMP Continuous Monitoring Strategy Guide,” (2018), https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf. (^21) The Federal Risk and Authorization Management Program, “Agency Guide for Multi-Agency Continuous Monitoring,” (2020), https://www.fedramp.gov/assets/resources/documents/Agency_Guide_for_Multi- Agency_Continuous_Monitoring.pdf.
CSP is responsible for. The authorization boundary is a critical component associated with the NIST
FedRAMP is currently updating the Authorization Boundary Guidance document 26 to reflect changes to cloud computing technology and federal information security policy relevant to FedRAMP. The major changes will include:
Special Publication (SP) 800-37, Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems and OMB circular A-130, Managing Information as a Strategic Resource.
FedRAMP does provide U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction requirements for the data centers, but only for the high baseline. For FedRAMP low and moderate baselines, agencies should be aware that there are no implicit or explicit protections for federal agencies that ensures their data will stay only within the US or that their resources will only be established in regions that operate within the US. Agencies must establish these boundaries and expectations with their CSPs and address any Outside the U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction concerns through SLAs or memorandums of understanding (MOUs).
This section introduces the compute plane and considerations for agencies as they design, implement, and maintain digital services in the cloud. To ensure an efficient and secure transition to cloud services, agencies should:
Agencies can utilize the flexibility of the cloud to combine services in support of their mission. Agencies should work to implement security measures into their cloud-based digital services as early as possible in the Software Development Life Cycle (SDLC). Agencies that facilitate DevSecOps with automated security testing will be able to develop architectures that are scalable, repeatable, reliable, and align with zero trust philosophy. This process requires collaboration across agency teams to build digital services. DevSecOps can combine with centralized SaaS, supported by IT departments, to enable security testing of software for release. Cloud-based digital services can span IaaS, PaaS, and SaaS. These service models, along with the on-premises model, vary in who is responsible for different layers of the system
(^26) The Federal Risk and Authorization Management Program, “Requesting Public Comment on FedRAMP Authorization Boundary Guidance,” (2021), https://www.fedramp.gov/blog/2021-07-14-Public-Comment- Boundary-Guidance/.
architecture, as discussed in Section 3. It is imperative for agencies to confirm the services and functions their vendors are providing and are not providing.
Agencies moving software and digital services from an on-premises data center to the cloud can produce more reliable, scalable, and predictable software. Cloud services allow agencies to have disaster recovery available in other geographical areas and quickly expand capacity when needed, all without having to purchase another data center. Agencies can initially transition smaller, internal projects and tools to the cloud to gain experience and confidence working in a new environment before attempting to migrate larger services. Shifting to cloud is also an opportunity to redesign older digital services to enable bold progress or modernization.
The cloud offers a long list of well-known benefits; in particular, one that agencies should consider is that building zero-trust architectures, and more secure applications, can be easier in the cloud. CSPs can address aspects of the five zero trust pillars—Identity, Devices, Networks, Applications, and Data—and enable the visibility needed to begin creating cross-pillar interactions 27. By looking for the appropriate FedRAMP approval level for services in the cloud, agencies can typically expedite an ATO easing the migration process. Correctly configuring these services, establishing effective ICAM roles, and protecting sensitive information using encryption provided by a Key Management System (KMS) may be the responsibility of DevSecOps teams or other administrators. Section 5 has additional guidance for Cloud Security Posture Management.
Agencies should consider the security advantages of using APIs (see Section 5.3.8) or data services to securely manage their cloud deployments. Services from CSPs and third-party vendors can provide access to the same data without forcing agencies to build, verify, and maintain complex software. APIs provided by CSPs and others typically have a full staff of developers and other experts who focus solely on these systems. Creating an equivalent team within an agency can be costly and time consuming, drawing resources away from an agency’s mission.
Cloud migration is the process of moving business operations and missions into the cloud. For many agencies, this means shifting from legacy infrastructure that may no longer support their needs to a modern infrastructure that enjoys the support of a more flexible and more cost-effective solution for an agency's application. Cloud environments inherently involve a shift in mindset from on-premises solutions. Certain cloud functions can operate in ways that on-premises functions cannot, such as infrastructure as code (IaC) concepts. These concepts include dynamic provisioning and decommissioning of resources based on the elasticity of demand on services or temporal-based maintenance to replace portions of infrastructure for security purposes.
Cloud migration involves a lot of preparation and depends on the size of the application ecosystem, the age of the current applications and systems, the user base, and the amount of data. Agencies should consider the age and quantity of data in their application ecosystem; as data accumulates over time, it can pose additional challenges to cloud migration. When agencies decide to migrate their application
(^27) Cybersecurity and Infrastructure Security Agency. “CISA Zero Trust Maturity Model,” (2021), https://www.cisa.gov/sites/default/files/publications/CISA%20Zero%20Trust%20Maturity%20Model_Draft.pdf.